[145464] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Jul 28 12:20:12 2010
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: lynn@garlic.com, Nicolas.Williams@oracle.com
Cc: ben@links.org, cryptography@metzdowd.com, perry@piermont.com,
pgut001@cs.auckland.ac.nz
In-Reply-To: <20100728150525.GR566@oracle.com>
Date: Thu, 29 Jul 2010 03:51:33 +1200
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
>Exactly. OCSP can work in that manner. CRLs cannot.
OCSP only appears to work in that manner. Since OCSP was designed to be 100%
bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and
not an OCSP. Specifically, if I submit a freshly-issued, valid certificate to
an OCSP responder and ask "is this a valid certificate" then it can't say yes,
and if I submit an Excel spreadsheet to an OCSP responder and ask "is this a
valid certificate" then it can't say no. It takes quite some effort to design
an online certificate status protocol that's that broken.
(For people not familiar with OCSP, it can't say "yes" because a CRL can't say
"yes" either, all it can say is "not on the CRL", and it can't say "no" for
the same reason, all it can say is "not on the CRL". The ability to say
"vslid certificate" or "not valid certificate" was explicitly excluded from
OCSP because that's not how things are supposed to be done).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
